Re: RE: OSSTMM how good is it?

From: stevearmstrong@logicallysecure.com
Date: Thu May 18 2006 - 06:37:54 EDT

Next message: diegospahn@gmail.com: "Download Core Impact"
Previous message: silentw: "alcatel PBX testing"
Maybe in reply to: Steve Armstrong: "RE: OSSTMM how good is it?"
Next in thread: baumgartner@oneconsult.com: "Re: OSSTMM how good is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) Weird, I trust IS1 more than CRAMM, if for no other reason than all the info is on one page and not spread through pages of data entry and meaningless figures.
How do you use generate your equivalent of the Accreditation Doc Set? How do you document your risks etc as CRAMM output is more SSP and SyOps stuff which is way in the past (memo 5 went out about 98/99).
I am assuming you are working under mps in which case the OSSTMM will not gain you anything more officially as it is not recognised, and if your accreditor doesn't trust the hmg method of assessing residual risk then what do they trust?

OSSTMM is a good methodology but I think you may be adding another layer to a problem. If your threat identification process is conducted correctly (with either IS1 or 2) then you will have the key attack vectors identified. Either by using attacking groups from IS1 or by looking at domain based security attack vectors against the data islands (IS2). After this you should be able to identify key area for focused and detailed testing the results of which will allow you to 'put to bed' those vectors.

However, and I may be wrong here, you aren't getting this kind of indicators of areas to test because of the type of output CRAMM generates.
It honestly sounds like your accreditor is all screwed up! And to be honest (speaking as both a former tester and accreditor) you need direction from them as to what kind of output they want for testing. OSSTMM is thorough and will uncover problems with your system (complexity and tester skill permitting), but you cannot just point a team at a network and as 'go do a OSSTMM test on that network/system' as it is too generic.

To satisfy a good accreditor, targeted testing at high risk or vulnerable points is required. If you gave me a OSSTMM test on a network I would accept it but it would only be a starting point for further testing and therefore probably overkill. Without a good process to identify the correct risks, time and effort are being wasted.

Just my 2p

Steve A

-------------------------------------------------

UK IT Security Forum - www.logicallysecure.com/forum

-------------------------------------------------

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: diegospahn@gmail.com: "Download Core Impact"
Previous message: silentw: "alcatel PBX testing"
Maybe in reply to: Steve Armstrong: "RE: OSSTMM how good is it?"
Next in thread: baumgartner@oneconsult.com: "Re: OSSTMM how good is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:59 EDT